Re: intercepting system calls

From: Douglas Kilpatrick (dougkat_private)
Date: Sun Apr 15 2001 - 16:05:19 PDT

  • Next message: Douglas Kilpatrick: "Re: intercepting system calls"

    On 13 Apr 2001, David Wagner wrote:
    
    > >Yep.  Execve is a pretty straight forward example though... As long as
    > >you are trying to augment the system call and not replace it, the
    > >argument decoding you do is pretty straight forward.
    >
    > Did you implement this in the kernel on Linux?  How did you deal
    > with the fact that the implementation sys_execve() reads from its
    > caller's stack frame?  Due to this issue, I found that just putting
    > a wrapper around sys_execve() doesn't work, and I essentially had
    > to cut-and-paste code from arch/i386/kernel/process.c.  Do you have
    > a better solution?
    
    Um, depends on your definition of "better".
    
    Basically, we started by doing pretty much the same thing... The
    replacement stubs for fork() and exec() both passed a pointer to the
    stack frame as an extra argument and the "real" versions of the system
    call copied heavily from process.c.
    
    Then our low-level guy redid our interposition in assembly.  He ended
    up managing to have no stack footprint when we called the original
    system call, so we no longer needed to copy anything... Of course,
    that's not portable at all.
    
    > Can you give any examples?  In Janus, we pushed all these checks
    > to open(), but are there some important cases where you can't do this?
    
    The follwing is taken from one of our sample wrappers.  Its evil, but cool:
    
    wrapper dbfencrypt {
        ...
        linux::oattr{fileop&&fdretop} post { /* open et. all */
            if ($fdret >= 0 && /* filename ends in a token character */ ) {
                WQL {
                    insert into active_files values ($fdret, _pid);
                };
            }
        }
        linux::op{write} pre {
            DBROW::active_files_table row;
            WQL {
                select into row from active_files where
                    .pid = _pid and .fd = $fd;
            };
            if (!row.isempty()) {
                /* Encrypt data en-route to system call. */
            }
        }
        linux::op{read} pre {
            DBROW::active_files_table row;
            WQL {
                select into row from active_files where
                    .pid = _pid and .fd = $fd;
            };
            if (!row.isempty()) {
                /* Decrypt data en-route to system call. */
            }
        }
    }
    
    Basically, for access control, intercepting "open(2)" is fine.. But
    we wanted to let you have more fun than just access control
    
    Doug
    -- 
    dougkat_private
    dkilpatrat_private
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 16:08:19 PDT